By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

finding ways to implement compensating controls to gain compliance with part of the standard and they end up spending way too much money in the process.

"If you think the QSA is your enemy, you've missed the opportunity to improve security at your organization."

Anton Chuvakin, Security Consultant, Security Warrior Consulting

"If you don't agree with a particular PCI provision and you think you can do things better, that's fine, but you have to build a case for a compensating control," said Anton Chuvakin, co-author of "PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance."

Chuvakin, an independent consultant focusing on logging, SIEM and PCI DSS compliance, spoke on ways merchants can more effectively address PCI issues and achieve PCI security compliance during a session "PCI Done Right and Wrong," at SOURCE Boston 2010 last week. He was joined by the book's co-author Branden Williams, a former PCI qualified security assessor and director of security consulting at RSA, the security division of EMC Corp.

PCI security compliance:

PCI compliance requirements guide: Diana Kelley and Ed Moyle know the Payment Card Industry Data Security Standard inside and out. Do you? In this series of videos, the PCI pros take each of the standard's 12 requirements and review how you can pass them all with flying colors. Kelley and Moyle also share the most common mistakes they've seen during audits.

When most merchants begin assessing their environment against the PCI standard, there will be a gap between the current environment and the implementation of PCI controls. If the enterprise is going to implement security technologies to comply with PCI, be prepared to maintain it, Chuvakin said. Most organizations must understand that PCI is the floor, not the ceiling, he said. Companies should work toward exceeding the baseline and ensuring that PCI security compliance initiatives are a continuous process.

More enterprises need to think of the QSA as a partner, not their adversary. Work with a good QSA to get an objective assessment, Williams said. It's important to pick a QSA that understands the business because "ultimately you don't want someone making a decision that breaks your business," Williams said.

Other organizations get caught up treating compensating controls as a shortcut. Nearly all enterprises implement at least one compensating control during the PCI compliance process, but the approach must be taken cautiously, he said.

"I've seen cases where a company sat around for six months working on a compensating control," Williams said. "In the end, to fix the problem would have cost $3 million, but doing the compensating control came in at $6 million."

One common misconception among merchants is that acquiring banks require the merchant to retain credit card data for seven years after a transaction has taken place. Most firms can eliminate the actual credit card data, Williams said.

"You can go back and scrub the data," he said. "You don't have to have a credit card number for seven years, just a record of the transaction."

Both experts urged attendees to find experienced assessors and avoid misrepresenting the company's current environment.

"If you treat your QSA like an auditor, they're going to ask closed-ended questions and you're not going to have success," Williams said. "Ultimately, the goal is to improve overall security."

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy